If every user uses exactly one device, it is known that Signal achieves forward secrecy and even post-compromise security (i.e. security of future communications in case of leakage of long-term secrets).
But the Signal protocol also allows for the use of multiple devices via the Sesame protocol.
This multi-device setting is typically ignored in the security analysis of Signal.
In this work, we discuss the security of the Signal messenger in this multi-device setting.
We show that the current implementation of the device registration allows an attacker to register an own, malicious device, which gives them unrestricted access to all future communication of their victim, and even allows full impersonation.
This directly shows that the current Signal implementation does not guarantee post-compromise security.
2 Likes